By convention, any interceptor CFC must create a method with the same name as the event they want to listen to. This method has a return type of boolean and receives 5 arguments. So let's explore their rules.

boolean function {point}( event, data, buffer, rc, prc );


  • event which is the request context object

  • data which is a structure of data that the broadcaster sends

  • buffer which is a request buffer object you can use to elegantly produce content that is outputted to the user's screen

  • rc reference to the request collection struct

  • prc reference to the private request collection struct

Return type

The intercepting method returns boolean or void. If boolean then it means something:

  • True means break the chain of execution, so no other interceptors in the chain will fire.

  • False or void continue execution

component extends="coldbox.system.Interceptor"{

    function configure(){}

    boolean function afterConfigurationLoad(event,data,buffer){
        if( getProperty('interceptorCompleted') eq false){

        return false;

Also remember that all interceptors are created by WireBox, so you can use dependency injection, configuration binder's, and even AOP on interceptor objects. Here is a more complex sample:

HTTP Security Example:

* Intercepts with HTTP Basic Authentication
component {

    // Security Service
    property name="securityService" inject="id:SecurityService";

    void function configure(){
        if( !propertyExists("enabled") ){
            setProperty("enabled", true );

    void function preProcess(event,struct data, buffer){

        // verify turned on
        if( !getProperty("enabled") ){ return; }

        // Verify Incoming Headers to see if we are authorizing already or we are already Authorized
        if( !securityService.isLoggedIn() OR len( event.getHTTPHeader("Authorization","") ) ){

            // Verify incoming authorization
            var credentials = event.getHTTPBasicCredentials();
            if( securityService.authorize(credentials.username, credentials.password) ){
                // we are secured woot woot!

            // Not secure!
            event.setHTTPHeader(name="WWW-Authenticate",value="basic realm=""Please enter your username and password for our Cool App!""");

            // secured content data and skip event execution
            event.renderData(data="<h1>Unathorized Access<p>Content Requires Authentication</p>",statusCode="401",statusText="Unauthorized")



Last updated